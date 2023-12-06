Cisco Talos Year in Review 2023 report reveals worrying intensity of cyber threats , [+] On network infrastructure. getty

The Cisco Talos Year in Review 2023 paints a worrying picture of the cybersecurity landscape, analyzing events and trends from the past year and highlighting the key challenges facing organizations. The report reveals insights across the cybersecurity spectrum, focusing on investigations into telemetry trends, ransomware and extortion, network infrastructure, commodity loaders and APT (advanced persistent threat) groups based in China, Russia and the Middle East .

I had an exclusive opportunity to dive into the details of the network infrastructure portion of the report with Nick Biasini, global head of Cisco Talos Outreach. Biasini provides valuable insights shedding light on the strategies and motivations behind attacks on network infrastructure, a trend that has intensified in 2023.

The report shares the following highlights for network infrastructure:

Advanced actors have been attacking networking devices at an alarming rate this year, particularly China and Russia-based groups looking to further espionage objectives and facilitate covert operations against secondary targets.

Other cyber criminals are also beginning to follow suit, adopting this technique to sell unauthorized access to these devices on the dark web or to penetrate targeted networks and deploy ransomware.

Actors exploit security vulnerabilities such as default credentials and unpatched vulnerabilities to gain initial access to a targeted device.

Three of the five most targeted device vulnerabilities in this area are serious or critical, and exploitation can, in some cases, lead to full device takeover. This can provide adversaries unhindered access to key components of the target’s network and security perimeter.

Exploit attempts against vulnerabilities in this area remained generally consistent throughout 2023 with occasional increases following public disclosure of vulnerabilities. This suggests that targeted organizations are often failing to patch their devices in a timely manner, and so actors see value in exploiting CVEs despite their age.

By remaining hidden after compromise and establishing additional methods of access without raising alarm bells, actors take steps to weaken the security within the environment and will also introduce new vulnerabilities to exploit.

Talos is helping address this threat by supporting the Network Resilience Coalition, a Cisco co-founded coalition of industry leaders focused on securing critical data networks. Cisco’s global network infrastructure footprint makes us well-positioned to investigate and report on top-tier attackers and their malicious campaigns.

Adversaries are targeting network infrastructure

Biasini told me that the threat landscape has evolved, with adversaries including state-sponsored hackers and criminal organizations increasingly targeting network infrastructure. This change represents a strategic choice that exploits vulnerabilities in the devices that form the backbone of global communications and data exchange.

He emphasized that these attacks are not limited to enterprise-level infrastructure, but extend to consumer devices, reflecting the scale and diversity of the threat. “Then you have end consumer goods – we’ve seen a lot of activity targeting Soho [small office/home office] Tools like your VPN filters and things like that.”

He explained that SoHo devices are a very attractive target because a compromised SoHo device provides them with a way to conduct proxy-based attacks. They can use home devices as their pivot point to launch attacks, making things like geofencing difficult to do and allowing threat actors to gain access to critical people, systems, and data.

dual nature of danger

Attacks on network infrastructure fall into two primary categories: those targeting consumer devices and those targeting enterprise-level infrastructure. In the consumer sector, devices such as routers and home networks have become critical to proxy-based attacks, allowing attackers to use these devices as a launchpad for further malicious activities.

On the enterprise side, edge devices are particularly vulnerable. These devices are essential to network operation but often lack comprehensive security measures, making them attractive targets for exploitation. Biasini stressed that these tools are often purpose-built and lack any means of running a full security stack locally. They’re also left alone—rarely receiving updates or rebooting.

Covid-19 and change in attack patterns

I asked if Soho’s focus on devices and targeting of employees’ home networks had anything to do with the COVID-19 pandemic and the rise in remote and work-from-home scenarios. Biasini said the increase in attacks on SoHo devices occurred before the COVID-19 pandemic, but he acknowledged that the shift to remote work has increased the risk.

The pandemic has led to an increase in remote work, expanding the attack surface for cybercriminals. The lack of regular updates and maintenance of home networking equipment presents an increased opportunity for attackers to exploit vulnerabilities.

Challenges and strategies for enterprises

Enterprises face the dual challenge of securing their network infrastructure while maintaining limited control over devices provided by ISPs for employees’ home networks. Biasini suggested a multi-pronged approach to securing these devices, including using a VPN to encrypt traffic, deploying managed devices with an up-to-date security stack, and shutting down the devices when they are not connected to the VPN. This includes maintaining visibility.

The important role of regular auditing and fraud

Regular auditing, especially of external user accounts, is an important security measure. Biasini highlighted the trend of deception in cybersecurity, where organizations set traps using fake accounts and devices to identify potential intruders. This proactive approach can significantly enhance the security posture of an organization.

Guidance for future security measures

Biasini shared important advice to help organizations secure their network infrastructure:

Limit exposure of devices to the Internet and use access control lists (ACLs) for essential external interfaces.

Regularly update devices to fix vulnerabilities, moving away from the mindset of long uptime as a measure of reliability.

Implement effective logging strategies, including monitoring for expiration of log output, which may be an indicator of malicious activity.

Use external authentication mechanisms and multi-factor authentication to access network devices to ensure secure and controlled access.

Importance of data security and access control

In addition to securing devices, Biasini also stressed the importance of data security. The concept of ‘data is king’ underlines the need for strong mechanisms to control access to sensitive information. They discussed the evolution of access control from routine permission management to dynamic and context-aware systems that adapt to the changing security landscape.

Looking Ahead: The Evolving Threat Landscape

Cisco Talos reports provide great insight into the challenges and trends facing organizations. As part of looking ahead to the year ahead, I also reached out to some other cybersecurity experts for additional perspective.

Scott Gerlach, co-founder and CSO of Stackhawk, added API security to the mix. “This remains challenging due to the rapid pace of development relative to available security resources, leading to vulnerabilities being overlooked,” he warned. “Limited visibility of security teams during development and playing catch-up with new and existing APIs further emphasizes the risks.”

“Today, mobile security and education in the enterprise is more important than ever,” emphasized JT Keating, SVP of strategic initiatives at Zimperium. “In most cases, mobile devices represent a significant, unknown attack surface for enterprises. It doesn’t matter whether they are corporate owned or part of a BYOD strategy, the need to implement appropriate security controls and educate end users about potential threats is critical.

As we look to the future, it is clear that the threat landscape will continue to evolve. Biasini’s insights underscore the need for organizations to be agile and adaptive in their cybersecurity strategies. The focus should be not only on reacting to threats but also on anticipating and preparing for new attack vectors.

Nick Biasini’s insights, combined with the findings of the Cisco Talos Year in Review report, provide a comprehensive understanding of the challenges facing securing network infrastructure. Organizations must recognize the sophistication of modern cyber threats and adopt a multilayered defense strategy to protect their network infrastructure.

As the landscape evolves, so must our approach to cybersecurity, ensuring we stay one step ahead of adversaries.